Written by staff writer.
Multiple law enforcement and security agencies are warning US and Japanese multinationals to check the internet routers at subsidiaries and branches as a Chinese state-linked hacking group called BlackTech attempts to infiltrate big multinational companies via their smaller entities.
The joint advisory, “People’s Republic of China-Linked Cyber Actors Hide in Router Firmware”, issued on September 27 by the US National Security Agency (NSA), Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), the Japan National Police Agency (NPA), and the Japan National Center of Incident Readiness and Strategy for Cybersecurity (NISC), warns that BlackTech (a.k.a Palmerworm, Temp.Overboard, Circuit Panda, and Radio Panda) can modify router firmware, and capitalising on routers’ domain-trust relationships, infiltrate subsidiaries to then jump to the IT systems the real targets – the headquarters of large multinationals in the US and Japan.
The advisory says the hackers have targeted government, industrial, technology, media, electronics, and telecommunication sectors, including entities that support the US and Japanese militaries.
“BlackTech actors use custom malware, dual-use tools, and living off the land tactics, such as disabling logging on routers, to conceal their operations,” the advisory reads, going on to add that the hackers use custom malware payloads and remote access tools to target victims’ operating systems.
Custom malware payloads, including BendyBear, Bifrose, BTSDoor, FakeDead (a.k.a. TSCookie), Flagpro, FrontShell, IconDown, PLEAD, SpiderPig, SpiderSpring, SpiderStack, and WaterBear have been used to target Windows, Linux, and FreeBSD operating systems.
“BlackTech actors continuously update these tools to evade detection by security software,” the advisory notes. “The actors also use stolen code-signing certificates to sign the malicious payloads, which make them appear legitimate and therefore more difficult for security software to detect.”
After establishing a foothold in a target network and gaining admin access, the hackers often modify the firmware to hide their activity and maintain that access. BlackTech targets branch routers at remote outposts of multinationals to connect to headquarters, blending in with corporate traffic and moving towards their real target.
The advisory named IOS routers produced by the US-based technology company Cisco, as a favoured access point but noted that company’s product is not the only router device exploited. “BlackTech actors have compromised several Cisco routers using variations of a customized firmware backdoor,” the advisory reads. “The backdoor functionality is enabled and disabled through specially crafted TCP (transmission protocol control) or UDP (user data protocol) packets. This TTP (tactics, techniques, and procedures) is not solely limited to Cisco routers, and similar techniques could be used to enable backdoors in other network equipment.”
In response to being named in the advisory, Cisco says there is no indication that BlackTech exploits any Cisco vulnerabilities. “The stolen code-signing certificates mentioned in the report are not from Cisco,” a statement from the US-based technology company says. “The most prevalent initial access vector in these attacks involves stolen or weak administrative credentials. As outlined in the report, certain configuration changes, such as disabling logging and downloading firmware, require administrative credentials.”
The advisory recommends organisations familiarise themselves with the threat and implement the suggested detection and mitigation techniques to protect devices and networks.
